wosign and letsencrypt.cn / letsencrypt.com.cn

[tde...@gmail.com]

It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :

whois letsencrypt.cn
Domain Name: letsencrypt.cn
ROID: 20141120s10001s72911711-cn
Domain Status: clientTransferProhibited
Registrant ID: k35-n2041486_00
Registrant: 深圳市沃通电子商务服务有限公司
Registrant Contact Email: d...@wosign.com
Sponsoring Registrar: 厦门三五互联科技股份有限公司
Name Server: ns3.dns-diy.com
Name Server: ns4.dns-diy.com
Registration Time: 2014-11-20 09:57:27
Expiration Time: 2017-11-20 09:57:27
DNSSEC: unsigned

whois letsencrypt.com.cn
Domain Name: letsencrypt.com.cn
ROID: 20141120s10011s84227837-cn
Domain Status: clientTransferProhibited
Registrant ID: k35-n2041486_00
Registrant: 深圳市沃通电子商务服务有限公司
Registrant Contact Email: d...@wosign.com
Sponsoring Registrar: 厦门三五互联科技股份有限公司
Name Server: ns3.dns-diy.com
Name Server: ns4.dns-diy.com
Registration Time: 2014-11-20 09:57:28
Expiration Time: 2017-11-20 09:57:28

Let's Encrypt was announced publicly on November 18, 2014 ( http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm ). That domain appear to be registered two days after.

Certificate authorities are about trust. I don't feel comfortable about a CA registering a domain matching the name of another CA. What is the position of Mozilla about that?
Maybe Let's Encrypt or wosign have more information about these domains?

https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786

Other relevant thread: Comodo Legal Phishing attack against ISRG?
https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ

[Richard Wang]

I wish everyone can talk about this case friendly and equally.

It is very common that everyone can register any domain based on the first come and first service rule.

We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I think maybe it is caused by the strict registration rule in China, so I registered it for protection that not registered by Cornbug.

We don’t use those domains for any WoSign's services that we provide similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)

Now, if Mozilla or Let’s Encrypt contact me officially and request to transfer the two domains to them, no any problem, we can transfer to them for FREE!

But please notice that this arrangement is for friendship, not for others ......


Best Regards,

Richard

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

[jo...@letsencrypt.org]

We had some trouble figuring out how to purchase a Chinese domain name before we launched, so we didn't purchase it then. We've never talked to wosign about this before, and we haven't seen the domain used for anything confusing so far. This is our first interaction about it and we're happy to hear that Richard would like to help us out by transferring the domains.

Thanks Richard, I'll be in touch.

[Han Yuwei]

在 2016年12月19日星期一 UTC+8下午12:36:10，jo...@letsencrypt.org写道：

Register a domain in China is much more different from International common partice. For further advice I suggest LE should contact with their lawyer.

Since letsencrypt.org is very famous, I think the best way is to redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org

[rain...@gmail.com]

Dear WoSign,

That's interesting. So why you start to talking about it today after those domains been exposed?

You have a plenty of time to donate that before today isn't it?

BTW: I do fuzzyly remember one day I clicked one of those domain, it isn't a 404 page back then.

[Howard Xiao]

On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote:
> We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I think maybe it is caused by the strict registration rule in China, so I registered it for protection that not registered by Cornbug.

I found it really hard to comprehend why you believe you should be registering a domain name, "for protection", that belongs to another brand, especially where there is definitely conflict of interests involved.

> We don’t use those domains for any WoSign's services

Until a few days ago, letsencrypt.cn points to a Microsoft/21vianet Azure China server 211.151.125.110 [1][2]. A reverse lookup on this IP [3] yields hostnames implying services of WoSign (pkiclick.net, wosigncode.net, etc.). As of the time of this email, DNS lookup of this domain name yields NXDOMAIN, which means WoSign has made the effort to remove the record. Why bother to add the DNS record in the first place then?

[1] http://whois.domaintools.com/letsencrypt.cn
[2] http://viewdns.info/iphistory/?domain=letsencrypt.cn
[3] http://bgp.he.net/ip/211.151.125.110#_dns

[xubin...@gmail.com]

Well, at least it seems that they're not (ab)using it for now.

```
$ dig letsencrypt.cn
; <<>> DiG 9.11.0-P1 <<>> letsencrypt.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63776
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;letsencrypt.cn. IN A

;; ANSWER SECTION:
letsencrypt.cn. 3481 IN A 211.151.125.110

;; Query time: 0 msec
;; SERVER: [scrambled]
;; WHEN: Sun Dec 18 15:30:24 JST 2016
;; MSG SIZE rcvd: 59

$ curl letsencrypt.cn
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
```

[Richard Wang]

I got the email from Josh, this is my reply:

Hi Josh,

Glad to receive your formal request email.

Yes, it is hard to register a domain for foreigner, I also don't know how to transfer to you. What I can do now is to resolute it to your website.

As I said we can transfer to you at any time.

Best Regards,

Richard

-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On

Behalf Of jo...@letsencrypt.org
Sent: Monday, December 19, 2016 12:36 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn

We had some trouble figuring out how to purchase a Chinese domain name before
we launched, so we didn't purchase it then. We've never talked to wosign about
this before, and we haven't seen the domain used for anything confusing so
far. This is our first interaction about it and we're happy to hear that
Richard would like to help us out by transferring the domains.

Thanks Richard, I'll be in touch.

On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:

> I wish everyone can talk about this case friendly and equally.
>
> It is very common that everyone can register any domain based on the first
> come and first service rule.
>
> We know Let's Encrypt is released after the public announcement, but two day
> later, its .cn domain is still not registered, I think maybe it is caused by
> the strict registration rule in China, so I registered it for protection
> that not registered by Cornbug.
>
> We don’t use those domains for any WoSign's services that we provide
> similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
>
> Now, if Mozilla or Let’s Encrypt contact me officially and request to
> transfer the two domains to them, no any problem, we can transfer to them
> for FREE!
>
> But please notice that this arrangement is for friendship, not for others
> ......
>
>
> Best Regards,
>
> Richard

[Samuel Pinder]

As far as I know, transferring by entering the name and address of the
person to transfer to would work via your registrar. But then CNNIC
will want to see a photo of a passport showing the name of the person
in full within a certain deadline, otherwise the domain would be
suspended. A registrar gathers this from the intended registrant and
they send it to CNNIC on your behalf, you don't send it directly to
CNNIC. Of course there is distinction between a person and a company,
if you're transferring to a company, you'll need business documents
showing registration details.
See this FAQ: https://cnnic.com.cn/IS/CNym/cnymyhfaq/#8_1
One more thing to be aware of not listed in the FAQ there: CNNIC will
want to know if you will be using the domain within China, as that
requires an ACP licence for any website hosted on port 80, 8080, or
443. Choosing "no" would mean the domain would resolve, but any
website on it would be inaccessible within China and would only work
abroad, since ACP licences *apparently* are only available to Chinese
companies. What this effectively means for Let's Encrypt, you'd have
the domain name to protect it, but wouldn't be able to use it within
China unless you had an actual presence there and acquired an ACP
licence. I registered a .cn domain some time ago, so just thought I'd
share my knowledge. Good luck, and sorry it kinda goes outside the
scope of this thread.
Sam

[谭晓生]

It is ICP license you talked about, you can find some information here:
https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ

It is almost impossible to register a .cn or .com.cn domain in China for a foreign company which do not have a legal entity in China, legally.
The websites will be blocked for access by the ISP/Telco if the websites were hosted in China but do not have valid ICP licenses or even the IPs have not been registered to the government. if it is not that hard before, but it has more and more regulatory polices.

For Letsencrypt, if you want to own the .cn or .com.cn domain legally, think of to set a legal entity in China.

Thanks，
Xiaosheng Tan



在 2016/12/20 上午10:54，“dev-security-policy 代表 Samuel Pinder”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 s...@samspin.net> 写入:

[Han Yuwei]

在 2016年12月20日星期二 UTC+8下午8:21:33，Tom写道：
> According to The Uniform Domain-Name Dispute-Resolution Policy, letsencrypt.cn seem use in bad faith.

>
> On December 20, 2016 2:45:47 PM GMT+08:00, "谭晓生" <tanxia...@360.cn> wrote:
> >It is ICP license you talked about, you can find some information here:
> >https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ
> >
> >It is almost impossible to register a .cn or .com.cn domain in China
> >for a foreign company which do not have a legal entity in China,
> >legally.
> >The websites will be blocked for access by the ISP/Telco if the
> >websites were hosted in China but do not have valid ICP licenses or
> >even the IPs have not been registered to the government. if it is not
> >that hard before, but it has more and more regulatory polices.
>

> Yep. As far as I known, it must use the service of one of Chinese hosting providers. Therefore, .cn domain name must point to Chinese IP adress.

>
> On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei <hanyu...@gmail.com> wrote:
> >Since letsencrypt.org is very famous, I think the best way is to
> >redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org
>

> And, It is disallowed redirecting to the website which haven't ICP license.

>
> tanxia...@360.cn wrote:
> >For Letsencrypt, if you want to own the .cn or .com.cn domain legally,
> >think of to set a legal entity in China.
>

> I don't think it's a good idea. It may will take much time and money for organization. And I think that Chinese government is not friendly to foreign companies/organizations.

.cn can use CNAME redirect and don't required to point to a Chinese IP address. ICP is for *host* not for domain.

I think this is out of m.d.s.p's scope. Maybe we can leave this to Letsencrypt and Wosign.

[Lewis Resmond]

People here tend to bash WoSign/StartCom the whole time and make them guilty for nearly everthing, including the Lindbergh Kidnapping. I also do think people are actively searching for anything they can blame, and ignore/tolerate incidents of other CAs.

[tde...@gmail.com]

On Monday, December 19, 2016 at 2:45:16 AM UTC+1, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.

I'm sorry about the wosing-bashing that followed. It wasn't my intention.

> We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I think maybe it is caused by the strict registration rule in China, so I registered it for protection that not registered by Cornbug.

Thank you for that and for your prompt response.

I think Mozilla still doesn't answer my first question:what is the position of Mozilla regarding CA that act in bad faith regarding the usage of the names associated with others CA (like, registering such trademarks or domains) ?

Wosing's answer to my question was positive and in my opinion faithful, but it's not the first time a CA engage in such behavior, and I think Mozilla should at least makes an official comment.

Best regards

[Gervase Markham]

On 21/12/16 12:42, tde...@gmail.com wrote:
> I think Mozilla still doesn't answer my first question:what is the
> position of Mozilla regarding CA that act in bad faith regarding the
> usage of the names associated with others CA (like, registering such
> trademarks or domains) ?

It's never come up. But I think we would be reluctant to intervene;
there are other mechanisms for sorting out such disputes, and it's not
our job to interpret or enforce trademark law or domain name dispute
resolution law.

Gerv

[Tom Delmas]

Hi Gerv,

> It's never come up. But I think we would be reluctant to intervene;

Thank you for that answer. I understand it.

> there are other mechanisms for sorting out such disputes, and it's not
> our job to interpret or enforce trademark law or domain name dispute
> resolution law.

There are other mechanisms. But hard to use, especially between
countries. As a Firefox user,
I expect that CA trusted by Firefox are clearly identifiable and
distinguishable from each others.

We need CA to avoid website impersonation. In order to achieve that, I
feel that "CA impersonation" must be avoided before all.

And the logical way to do it in my opinion is in the Mozilla CA
Certificate Policy.

Tom

[Richard Wang]

In this case, no any CA named as letsencrypt similar name, and no any CA want
to impersonate, most CA program require the root CA have a unique friendly
name in the CA program.

Best Regards,

Richard

-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On

[Gervase Markham]

On 22/12/16 14:30, Tom Delmas wrote:
> There are other mechanisms. But hard to use, especially between
> countries. As a Firefox user,
> I expect that CA trusted by Firefox are clearly identifiable and
> distinguishable from each others.

If CAs ever did something specific to Firefox or the root program, such
as submitting a root cert for inclusion whose common name was
misleading, we may well take action on that.

Gerv